CISM - Certified Information Security Manager
Go back to ISACA
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
What is the BEST way to ensure that contract programmers comply with organizational security policies?
Perform periodic security reviews of the contractors
Which of the following is the MOST important risk associated with middleware in a client-server environment?
System integrity may be affected
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
install an intrusion detection system (IDS).
In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:
recovery point objective (RPO).
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
verify the decision with the business units.
Which of the following guarantees that data in a file have not changed?
Creating a hash of the file, then comparing the file hashes
On a company's e-commerce web site, a good legal statement regarding data privacy should include:
a statement regarding what the company will do with the information it collects.
It is important to develop an information security baseline because it helps to define:
the minimum acceptable security to be implemented.
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
weaknesses in network and server security.
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
Senior management commitment and support for information security can BEST be enhanced through:
periodic review of alignment with business management goals.
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
Initially load the patches on a test machine
An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?
Isolate the server from the network.
Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:
map the major threats to business objectives.
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
When an emergency security patch is received via electronic mail, the patch should FIRST be:
validated to ensure its authenticity.
The information classification scheme should:
consider possible impact of a security breach.
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
mitigating the risk.
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
retrieve the tapes from the warm site and test them.
Which of the following is the BEST justification to convince management to invest in an information security program?
Increased business value
The MAIN goal of an information security strategic plan is to:
protect information assets and resources.
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
Copies of the business continuity plan
Which of the following is the BEST method to provide a new user with their initial password for e- mail system access?
Give a dummy password over the telephone set for immediate expiration
The PRIMARY objective of a risk management program is to:
minimize residual risk.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
it implies compliance risks.
The PRIMARY objective of security awareness is to:
influence employee behavior.
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
Percent of control objectives accomplished
Which of the following would BEST prepare an information security manager for regulatory reviews?
Perform self-assessments using regulatory guidelines and reports
A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A risk assessment should be conducted:
annually or whenever there is a significant change.
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
Evaluate the impact of information security risks
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
An intrusion prevention system (IPS)
In assessing risk, it is MOST essential to:
consider both monetary value and likelihood of loss.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
Identify the vulnerable systems and apply compensating controls
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
Centralizing security management
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
Senior management commitment
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
an effective control over connectivity and continuity.
Nonrepudiation can BEST be assured by using:
An information security program should be sponsored by:
key business process owners.
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
the plan aligns with the organization's business plan.
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
Enable system-enforced password configuration
Which of the following is the BEST approach for an organization desiring to protect its intellectual property?
Restrict access to a need-to-know basis
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is: